CAPEC-178 - Cross-Site Flashing

An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing the attacker to exploit native Flash functionality in the client browser. This attack pattern occurs where an attacker can provide a crafted link to a Flash document (SWF file) which, when followed, will cause additional malicious instructions to be executed. The attacker does not need to serve or control the Flash document. The attack takes advantage of the fact that Flash files can reference external URLs. If variables that serve as URLs that the Flash application references can be controlled through parameters, then by creating a link that includes values for those parameters, an attacker can cause arbitrary content to be referenced and possibly executed by the targeted Flash application.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 1
  • Injection
  • Purposes 1
  • Exploitation
  • Scopes 7
  • Modify files or directories
  • Integrity
  • Read files or directories
  • Confidentiality
  • Modify application data
  • Integrity
  • Read application data
  • Confidentiality
  • Execute unauthorized code or commands
  • Authorization
  • Gain privileges / assume identity
  • Non-Repudiation
  • Authorization
  • Authentication
  • Accountability
  • Bypass protection mechanism
  • Authorization
  • Access_Control

Medium level: knowledge of Flash internals, parameters and remote referencing.

The targeted Flash application must reference external URLs and the locations thus referenced must be controllable through parameters. The Flash application must fail to sanitize such parameters against malicious manipulation. The victim must follow a crafted link created by the attacker.

Step 1 - Identification

Using a browser or an automated tool, an attacker records all instances of URLs (or partial URL such as domain) passed to a flash file (SWF)..

Tecnique ID: 1 - Environment(s) env-Web

Use an automated tool to record the variables passed to a flash file.

Tecnique ID: 2 - Environment(s) env-Web

Use a browser to manually explore the website and analyze how the flash file receive variables, e.g. JavaScript using SetVariable/GetVariable, HTML FlashVars param tag, etc.

Tecnique ID: 3 - Environment(s) env-Web

Use decompilers to retrieve the flash source code and record all user-controllable variables passed to a loadMovie* directive.

Indicator ID: 1 - Environment(s) env-Web

Type: Positive

A URL is passed as parameter to a flash file (SWF).

Indicator ID: 2 - Environment(s) env-Web

Type: Inconclusive

No variable appear on the URL. Even though none appear, the flash movie may still use them if they are provided.

Indicator ID: 3 - Environment(s) env-Web

Type: Negative

Application doesn't use variable to specify what URL to load remote flash movies from.


Outcome ID: 1

Type: Success

A list of flash files, with their corresponding parameters is created by the attacker.



Step 1 - Attempt to inject a remote flash file

The attacker makes use of a remotely available flash file (SWF) that generates a uniquely identifiable output when executed inside the targeted flash file..

Tecnique ID: 1 - Environment(s) env-Web

Modify the variable of the SWF file that contains the remote movie URL to the attacker controlled flash file.

Indicator ID: 1 - Environment(s) env-Web

Type: Positive

The attacker's flash movie is being executed in the targeted movie.

Indicator ID: 2 - Environment(s) env-Web

Type: Inconclusive

The targeted flash movie doesn't appear to allow the inclusion of flash movies from untrusted domains (specified in the crossdomain.xml or in the flash movie itself).


Outcome ID: 1

Type: Success

The attacker's flash movie can access the targeted flash movie internal variables

Outcome ID: 2

Type: Failure

The attacker's flash movie cannot access any content of the targeted flash movie



Step 1 - Access or Modify Flash Application Variables

As the attacker succeeds in exploiting the vulnerability, he targets the content of the flash application to steal variable content, password, etc..

Tecnique ID: 1 - Environment(s) env-Web

Develop malicious Flash application that is injected through vectors identified during the Experiment Phase and loaded by the victim browser's flash plugin and sends document information to the attacker.

Tecnique ID: 2 - Environment(s) env-Web

Develop malicious Flash application that is injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the flash application to execute appropriately.

Security Control ID: 1

Type: Preventative

Apply appropriate configuration settings for cross domain flash applications in the crossdomain.xml file.

Security Control ID: 2

Type: Preventative

Apply appropriate configuration settings for cross domain flash applications inside the flash application.


Outcome ID: 1

Type: Success

The attacker gets the user's session identifiers or other type of credentials

Outcome ID: 2

Type: Success

The attacker gets the content of the variables used in the flash application

Outcome ID: 3

Type: Success

The attacker causes the flash application to be remotely controlled


Step 2 - Execute JavaScript in victim's browser

When the attacker targets the current flash application, he can choose to inject JavaScript in the client's DOM and therefore execute cross-site scripting attack..

Tecnique ID: 1 - Environment(s) env-Web

Develop malicious JavaScript that is injected from the rogue flash movie to the targeted flash application through vectors identified during the Experiment Phase and loaded by the victim's browser.

Security Control ID: 1

Type: Preventative

Apply appropriate configuration settings for cross domain flash applications in the crossdomain.xml file.

Security Control ID: 2

Type: Preventative

Apply appropriate configuration settings for cross domain flash applications inside the flash application.


Outcome ID: 1

Type: Success

The attacker is able to execute a DOM based cross-site scripting attack on the victim.



Implementation: Only allow known URL to be included as remote flash movies in a flash application

Configuration: Properly configure the crossdomain.xml file to only include the known domains that should host remote flash movies.